From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Steve French Subject: [PATCH 4.2 060/134] CIFS: fix type confusion in copy offload ioctl Date: Sat, 26 Sep 2015 13:55:12 -0700 Message-Id: <20150926205315.442904531@linuxfoundation.org> In-Reply-To: <20150926205311.819185658@linuxfoundation.org> References: <20150926205311.819185658@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Sender: linux-kernel-owner@vger.kernel.org List-ID: 4.2-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn commit 4c17a6d56bb0cad3066a714e94f7185a24b40f49 upstream. This might lead to local privilege escalation (code execution as kernel) for systems where the following conditions are met: - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled - a cifs filesystem is mounted where: - the mount option "vers" was used and set to a value >=2.0 - the attacker has write access to at least one file on the filesystem To attack this, an attacker would have to guess the target_tcon pointer (but guessing wrong doesn't cause a crash, it just returns an error code) and win a narrow race. Signed-off-by: Jann Horn Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman --- fs/cifs/ioctl.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/fs/cifs/ioctl.c +++ b/fs/cifs/ioctl.c @@ -70,6 +70,12 @@ static long cifs_ioctl_clone(unsigned in goto out_drop_write; } + if (src_file.file->f_op->unlocked_ioctl != cifs_ioctl) { + rc = -EBADF; + cifs_dbg(VFS, "src file seems to be from a different filesystem type\n"); + goto out_fput; + } + if ((!src_file.file->private_data) || (!dst_file->private_data)) { rc = -EBADF; cifs_dbg(VFS, "missing cifsFileInfo on copy range src file\n");